search

seen-haus / seen-contracts

Seen Haus contract suite
GNU General Public License v3.0
8 stars 2 forks source link

MHB-02M: Improper Fee Deduction #15

Closed JayWelsh closed 2 years ago

JayWelsh commented 2 years ago

MHB-02M: Improper Fee Deduction

Type Severity Location
Mathematical Operations Minor MarketHandlerBase.sol:L320, L323, L324

Description:

The deductFee function assumes that the split value is equal to feeAmount when multiplied by 2 which is not the case as Solidity suffers from mathematical truncation. This will lead to funds being permanently locked in any MarketHandlerBase contract.

Example:

uint256 split = feeAmount / 2;
address payable staking = marketController.getStaking();
address payable multisig = marketController.getMultisig();
staking.transfer(split);
multisig.transfer(split);

// Return the seller payout amount after fee deduction
payout = _netAmount - feeAmount;

Recommendation:

We advise the second transfer to instead use feeAmount - split rather than split to ensure truncated funds are accounted for.

JayWelsh commented 2 years ago

Fixed by https://github.com/seen-haus/seen-contracts/pull/44

JayWelsh commented 2 years ago

Extra change required for correct value in log: https://github.com/seen-haus/seen-contracts/pull/56

JayWelsh commented 2 years ago

Fixed by https://github.com/seen-haus/seen-contracts/pull/56